The 2017 hack of Equifax, already among the largest ever recorded, just got bigger. Well, they’re admitting that it was bigger than they had previously, which amounts to the same thing. Documents filed with the SEC reveal that more people, more IDs, and more info in general was stolen when the company utterly failed to protect its “users,” many of which didn’t even know they were in the database.

The company revealed various numbers around the time it disclosed the hack, though one it neglected to include was how many millions of dollars in stock were sold by executives before publicly disclosing it. But let’s not linger on their past crimes. I’m sure they’re very sorry!

Today’s information was filed with the Securities and Exchange Commission as part of the company’s disclosures regarding the hack. It provided first a handy table listing what was stolen as raw strings of data from Equifax’s inadequately protected databases:

Full name: 146.6M

Date of Birth: 146.6M

Social Security number: 145.5M

Full address: 99M

Gender: 27.3M

Phone number: 20.3M

Driver’s license number (incl. 2.4M partials): 17.6M

Email address: 1.8M

Credit card numbers (with expiration dates): 209,000

Individual Tax Identification Number (ITIN/Tax ID): 97,500

Driver’s license state: 27,000

Previous estimates of driver’s license numbers leaked were around 10.9 million, and total affected put at 143 million. Sure, the difference between 143 million and 146.6 million is relatively small, but it’s still 3.6 million people.

Secondly the filing includes a table listing images stolen by the attackers. These were “uploaded to Equifax’s online dispute portal by approximately 182,000 U.S. consumers,” the document says.

Driver’s license: 38,000

Social Security of Taxpayer ID Card: 12,000

Passport or Passport Card: 3,200

Other: 3,000

It’s unclear why these don’t add up to 182,000, but the images could also have been non-valuable things like forms or pictures of assets.

Imagine the kind of havoc you could wreak with even a few isolated data points from this set. Phishing teams and other scammers must be having the time of their lives: with so much official data to use, it’s that much easier to convince someone that a service or email is legitimate. Images of licenses and passports could lead to more sophisticated fraud at borders or in other government situations as well.